consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Raise an exception on open redirects

Browse Source 
This way we'll add an extra layer of protection from attacks that might
cause our application to redirect to an external host.

There's one place where we're allowing redirects to external hosts,
though: administrators can link external resources in notifications, and
we're redirecting to them after marking the notification as read.

Since the tests for the remote translations controller were
(accidentally) using an external redirect, we're updating them to use a
relative URL.
This commit is contained in:
Javi Martín
2024-03-28 02:59:07 +01:00
parent 9b4525ac71
commit cc628f0363
3 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
spec/controllers/remote_translations_controller_spec.rb
View File

@@ -11,7 +11,7 @@ describe RemoteTranslationsController, :remote_translations do
end
before do
request.env["HTTP_REFERER"] = "any_path"
request.env["HTTP_REFERER"] = "/any_path"
end
it "create correctly remote translation" do
@@ -39,7 +39,7 @@ describe RemoteTranslationsController, :remote_translations do
it "redirect_to request referer after create" do
post :create, params: { remote_translations: remote_translations_params }
expect(subject).to redirect_to("any_path")
expect(subject).to redirect_to "/any_path"
end
end
end